If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Now that's maybe not a bad idea ... but now I have to convince my boss of this , that's something else ... anyway I'll make a nice report of the things I'll want to do and the steps I'm gonna take... with some fancy numbers in it ...this might help

Something just doesn't sit well with me about this whole senerio. Why wouldn't you be able to talk to the client? Why aren't you given the info you need to do your job? Why aren't you allowed to seek this info? A client isn't a client unless they're willing and able to give you what you need. This is like if I told you there was a pot of gold burried somewhere in the US and I want you to find it. Happy treasure hunting.

Really though, you need to talk to the client and find out why he has this feeling so you will know where to start. I personally would leave out the IT staff due to the fact that, if its an inside hack they have the most access and ability in this regard. In my experience though, people use "I've been hacked" to explain anything that might go wrong with a computer. It's possibly he received a pop-up from a website that says, "You've been hacked! Download our software to protect yourself".

I persuaded my Boss to have a face to face meeting with the client ..it took some fancy numbers and different colors though

Seems as this is a "personal" friend of my boss (fancy that, not realy a new client then) and he didn't want this to be taken lightly (as if) ... but now that he saw my plan he was all open about it (Jeezz).

So what is the problem ... the client has a new laptop (With Windows XP) and it needs to be updated and checked ... but he doesn't trust the local IT-staff anymore because he thinks they leave some "port" (his words) open on his laptop and use it to get sensitive info.(Why not get them fired then ??..probably wants more evidence ??)

But anyway the story short is , I need to do a security audit (why not tell me this immediately then) and report back to the client directly , not pass by the IT-staff...So all your tips will come in handy... now where's that Knoppix disk.

All the hush-hush for this... go figure ... but that's what you get with "personal" friends I guess!

Anyway thanks guys for giving me some advice ...It made writing the report a bit easier.

Please take a little advice from someone who has "been there and done that" so to speak. You are obviously talking about a professional relationship with a major new potential client?

1. Do not use the free versions of commercial software. They are for private use only. If you do this you will only create the impression that you are unprofessional and untrustworthy. Go for the 30 day evaluations instead

2. Do not try to do anything on the cheap. It is results that count not price.............you are your company's ambassador, and first impressions are important. If you act the cheapskate, they will expect your fees to be the same

3. Let the client do the talking, listen and evaluate. When they have finished you can ask your questions. Make sure that they indicate that you have listened to and understood what the client has said.

4. Keep important meetings offsite and away from the client's premises. Preferably during working time (not lunch breaks) when the "ears that hear and eyes that see" are otherwise occupied.

5. Make sure that you have a good cover story to explain why you are there. Otherwise you will be spotted immediately and they will cover their tracks and hide. I don't know the Belgian scene these days but perhaps some "data protection/security statutory compliance audit"............."TVA recording compliance audit"......

I base this advice on the time I spent as an auditor, and the brief was to catch thieves (fraudsters)

In windows 2000 and XP (not sure about NT) if you go the the Computer Management part of the control panel it will show you Current share connections, including user name, computer name and a few other tid bits of information, I haven't done much security work for large companies but I know home computer users like to see that MS Windows is doing something about their security, even though we know it's not doing a good enough job!

Originally posted here by Cemetric but he doesn't trust the local IT-staff anymore because he thinks they leave some "port" (his words) open on his laptop and use it to get sensitive info

Just to add to Nihils advice. The big Guy thinks he's being hacked? some "port"? He doesn't trust the IT Staff. Remember the IT staff doesn't need to Hack the laptop. When it's connected to the network, Some If not all (Depending on the size of the company) will have admin rights, know the local admin account, etc.

I've ran into a situation where a programmer for HR software was giving out individual pay amounts to fellow employees. The programmer had access to the data to do her job, but abused the privilege.

So here's my additional advice. Keep quiet during the investigation. Compile the data and let the Boss ask the questions. Don't offer any advice unless asked.

Originally posted here by dinowuff So here's my additional advice. Keep quiet during the investigation. Compile the data and let the Boss ask the questions. Don't offer any advice unless asked.

I disagree. I think being the expert in the field you are obligated to give advice. I agree that you might want to be selective on the advice you give, but by all means tell the boss what he needs to know. In most cases the boss doesn't know what questions to ask, so waiting for him to ask them isn't going to get anything accomplished. If its a case of misguided mistrust, educate him.

Edit: After re-reading your statement, are you talking about the tech boss, or the client boss?